Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix insecure temporary file paths #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix insecure temporary file paths #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-05-18 - Insecure Temporary File Path

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-18 - Insecure Tempo..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-18 - Insecure Temporary File Path"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** Hardcoded predictable temporary file paths (e.g., `/tmp/yq`) in shell scripts executing with elevated privileges (`sudo`).

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 141] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Using predictable paths allows local privilege escalation and symlink attacks. Attackers can pre-create symlinks pointing to critical system files.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 161] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Always use securely generated random directories like `mktemp -d` to handle temporary files securely.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 117] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Address markdownlint failures from CI pipeline.

The documentation content is valuable, but the CI lint check is failing. Issues flagged:

  • MD041: First line should be a top-level heading (# instead of ##)
  • MD022: Missing blank line after heading
  • MD013: Lines 2-4 exceed the 80-character limit
πŸ“ Proposed fix to pass linting 
-## 2024-05-18 - Insecure Temporary File Path
-**Vulnerability:** Hardcoded predictable temporary file paths (e.g., `/tmp/yq`) in shell scripts executing with elevated privileges (`sudo`).
-**Learning:** Using predictable paths allows local privilege escalation and symlink attacks. Attackers can pre-create symlinks pointing to critical system files.
-**Prevention:** Always use securely generated random directories like `mktemp -d` to handle temporary files securely.
+# Security Learnings
+
+## 2024-05-18 - Insecure Temporary File Path
+
+**Vulnerability:** Hardcoded predictable temporary file paths (e.g., `/tmp/yq`)
+in shell scripts executing with elevated privileges (`sudo`).
+
+**Learning:** Using predictable paths allows local privilege escalation and
+symlink attacks. Attackers can pre-create symlinks pointing to critical
+system files.
+
+**Prevention:** Always use securely generated random directories like
+`mktemp -d` to handle temporary files securely.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2024-05-18 - Insecure Temporary File Path
**Vulnerability:** Hardcoded predictable temporary file paths (e.g., `/tmp/yq`) in shell scripts executing with elevated privileges (`sudo`).
**Learning:** Using predictable paths allows local privilege escalation and symlink attacks. Attackers can pre-create symlinks pointing to critical system files.
**Prevention:** Always use securely generated random directories like `mktemp -d` to handle temporary files securely.
# Security Learnings
## 2024-05-18 - Insecure Temporary File Path
**Vulnerability:** Hardcoded predictable temporary file paths (e.g., `/tmp/yq`)
in shell scripts executing with elevated privileges (`sudo`).
**Learning:** Using predictable paths allows local privilege escalation and
symlink attacks. Attackers can pre-create symlinks pointing to critical
system files.
**Prevention:** Always use securely generated random directories like
`mktemp -d` to handle temporary files securely.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 117] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 161] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 141] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-18 - Insecure Tempo..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-18 - Insecure Temporary File Path"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Change the second-level heading to a
top-level heading and add a blank line after it, then wrap or reflow the long
lines (lines containing the Vulnerability, Learning, and Prevention text) so no
line exceeds 80 characters; specifically edit the heading "## 2024-05-18 -
Insecure Temporary File Path" to "# 2024-05-18 - Insecure Temporary File Path",
insert a blank line after that heading, and break the sentences in the three
bullet-like lines into shorter lines or additional paragraphs so each line is
<=80 chars while preserving the original wording for "Vulnerability:",
"Learning:", and "Prevention:".

13 changes: 8 additions & 5 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,18 +231,21 @@ fi
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
TMP_DIR=$(mktemp -d)
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
rm -rf "$TMP_DIR"
fi

# Install lsd (LSDeluxe)
echo "Installing lsd..."
if ! command -v lsd &> /dev/null; then
LSD_VERSION="1.1.5"
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
rm "lsd_${LSD_VERSION}_amd64.deb"
TMP_DIR=$(mktemp -d)
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd.deb"
sudo dpkg -i "$TMP_DIR/lsd.deb"
rm -rf "$TMP_DIR"
fi

# Install Tesseract OCR
Expand Down
Loading